Russian nation-state actors exploiting a critical remote command execution vulnerability in the Unix mail transfer agent (MTA) known as Exim – Satnam Narang, Staff Research Engineer at Tenable shares his views:

In a recent cybersecurity alert issued by the National Security Agency (NSA), it was found that Russian nation-state actors have been exploiting CVE-2019-10149, a critical remote command execution vulnerability in the Unix mail transfer agent (MTA) known as Exim, since August 2019.

Though patches were made available in June 2019, security researchers observed active exploitation attempts in the wild four days after the flaw was originally patched. At the time, there were 4.1 million systems online running a vulnerable version of Exim based on search results from Shodan. Today, there are nearly a half a million servers still vulnerable to CVE-2019-10149.

Satnam Narang, Staff Research Engineer at Tenable comments about this latest development.

“The NSA recently issued a cybersecurity advisory warning that Russian nation-state actors have been exploiting CVE-2019-10149, a critical remote command execution vulnerability in the Unix mail transfer agent (MTA) known as Exim, since August 2019. Though patches were made available nearly a year ago in June 2019, security researchers observed active exploitation attempts in the wild a mere four days after the flaw was originally patched. At the time, there were 4.1 million systems online running a vulnerable version of Exim based on search results from Shodan. Today, there are nearly a half a million servers still vulnerable to CVE-2019-10149.

Whether it is a nation-state or financially-driven threat actors, this is another reminder that cybercriminals tend to set their sights on low hanging fruit. Zero-day vulnerabilities garner much attention, but practically speaking, it’s the publicly known unpatched vulnerabilities that provide cybercriminals the best bang for their buck. This is because many organizations struggle to keep pace with the sheer volume of newly-discovered vulnerabilities, providing cybercriminals a window of opportunity to gain a foothold by exploiting flaws such as this one.

This NSA warning follows a recent advisory from the Cybersecurity Infrastructure and Security Agency (CISA) which highlighted the top 10 routinely exploited vulnerabilities. Yet again, the list indicates that most threat actors are choosing not to spend their capital to burn a zero-day vulnerability, opting instead to target publicly known unpatched vulnerabilities in a variety of software like Exim.” – Satnam Narang, Staff Research.